Changeset 33438 in webkit
- Timestamp:
- May 14, 2008 5:14:56 AM (16 years ago)
- Location:
- branches/squirrelfish
- Files:
-
- 2 added
- 6 edited
-
JavaScriptCore/ChangeLog (modified) (1 diff)
-
JavaScriptCore/VM/Machine.cpp (modified) (4 diffs)
-
JavaScriptCore/VM/RegisterFile.cpp (modified) (2 diffs)
-
JavaScriptCore/VM/RegisterFileStack.cpp (modified) (3 diffs)
-
JavaScriptCore/VM/RegisterFileStack.h (modified) (3 diffs)
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/js/implicit-global-to-global-reentry-expected.txt (added)
-
LayoutTests/fast/js/implicit-global-to-global-reentry.html (added)
Legend:
- Unmodified
- Added
- Removed
-
branches/squirrelfish/JavaScriptCore/ChangeLog
r33437 r33438 1 2008-05-14 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Maciej. 4 5 Bug 19024: SQUIRRELFISH: ASSERTION FAILED: activation->isActivationObject() in Machine::unwindCallFrame 6 <https://bugs.webkit.org/show_bug.cgi?id=19024> 7 8 This fixes a number of issues. The most important is that we now check every register 9 file for tainting rather than just looking for function register files as that was 10 insufficient. Additionally guarded against implicit re-entry into Eval code. 11 12 Also added a few additional assertions to reduce the amout of time between something 13 going wrong and us seeing the error. 14 15 * VM/Machine.cpp: 16 (KJS::Machine::execute): 17 (KJS::Machine::privateExecute): 18 * VM/RegisterFile.cpp: 19 (KJS::RegisterFile::growBuffer): 20 (KJS::RegisterFile::addGlobalSlots): 21 * VM/RegisterFileStack.cpp: 22 (KJS::RegisterFileStack::pushGlobalRegisterFile): 23 (KJS::RegisterFileStack::pushFunctionRegisterFile): 24 * VM/RegisterFileStack.h: 25 (KJS::RegisterFileStack::inImplicitCall): 26 1 27 2008-05-14 Geoffrey Garen <ggaren@apple.com> 2 28 -
branches/squirrelfish/JavaScriptCore/VM/Machine.cpp
r33437 r33438 724 724 { 725 725 RegisterFile* registerFile = registerFileStack->current(); 726 return Machine::execute(evalNode, exec, thisObj, registerFile, registerFile->size(), scopeChain, exception); 726 if (registerFile->safeForReentry()) 727 return Machine::execute(evalNode, exec, thisObj, registerFile, registerFile->size(), scopeChain, exception); 728 registerFile = registerFileStack->pushFunctionRegisterFile(); 729 JSValue* result = Machine::execute(evalNode, exec, thisObj, registerFile, registerFile->size(), scopeChain, exception); 730 registerFileStack->popFunctionRegisterFile(); 731 return result; 727 732 } 728 733 … … 1422 1427 int base = (++vPC)->u.operand; 1423 1428 int property = (++vPC)->u.operand; 1424 1429 #ifndef NDEBUG 1430 int registerOffset = r - (*registerBase); 1431 #endif 1425 1432 JSObject* baseObj = r[base].u.jsValue->toObject(exec); 1426 1433 1427 1434 Identifier& ident = codeBlock->identifiers[property]; 1428 1435 JSValue *result = baseObj->get(exec, ident); 1436 ASSERT(registerOffset == (r - (*registerBase))); 1429 1437 VM_CHECK_EXCEPTION(); 1430 1438 r[dst].u.jsValue = result; … … 1444 1452 int property = (++vPC)->u.operand; 1445 1453 int value = (++vPC)->u.operand; 1454 #ifndef NDEBUG 1455 int registerOffset = r - (*registerBase); 1456 #endif 1446 1457 1447 1458 JSObject* baseObj = r[base].u.jsValue->toObject(exec); … … 1449 1460 Identifier& ident = codeBlock->identifiers[property]; 1450 1461 baseObj->put(exec, ident, r[value].u.jsValue); 1462 ASSERT(registerOffset == (r - (*registerBase))); 1451 1463 1452 1464 VM_CHECK_EXCEPTION(); -
branches/squirrelfish/JavaScriptCore/VM/RegisterFile.cpp
r33327 r33438 53 53 if (minCapacity > m_maxSize) 54 54 return false; 55 55 56 size_t numGlobalSlots = this->numGlobalSlots(); 56 57 size_t size = m_size + numGlobalSlots; … … 69 70 if (!count) 70 71 return; 71 72 ASSERT(safeForReentry()); 72 73 size_t numGlobalSlots = this->numGlobalSlots(); 73 74 size_t size = m_size + numGlobalSlots; -
branches/squirrelfish/JavaScriptCore/VM/RegisterFileStack.cpp
r33371 r33438 45 45 46 46 // Common case: Existing register file is not in use: re-use it. 47 if (!current->size()) 47 if (!current->size()) { 48 current->setSafeForReentry(true); 48 49 return current; 50 } 49 51 50 52 // Slow case: Existing register file is in use: Create a nested … … 87 89 RegisterFile* RegisterFileStack::pushFunctionRegisterFile() 88 90 { 89 m_functionStackDepth++;90 91 return allocateRegisterFile(current()->maxSize() - current()->size()); 91 92 } … … 93 94 void RegisterFileStack::popFunctionRegisterFile() 94 95 { 95 m_functionStackDepth--;96 96 delete m_stack.last(); 97 97 m_stack.removeLast(); -
branches/squirrelfish/JavaScriptCore/VM/RegisterFileStack.h
r33371 r33438 39 39 RegisterFileStack() 40 40 : m_globalBase(0) 41 , m_functionStackDepth(0)42 41 { 43 42 allocateRegisterFile(RegisterFile::DefaultRegisterFileSize, this); … … 70 69 } 71 70 72 bool inImplicitCall() { return m_functionStackDepth > 0; } 71 bool inImplicitCall() { 72 for (size_t i = 0; i < m_stack.size(); ++i) { 73 if (!m_stack[i]->safeForReentry()) 74 return true; 75 } 76 return false; 77 } 78 73 79 private: 74 80 typedef Vector<RegisterFile*, 4> Stack; … … 91 97 Stack m_stack; 92 98 Register* m_globalBase; 93 int m_functionStackDepth;94 99 }; 95 100 -
branches/squirrelfish/LayoutTests/ChangeLog
r33436 r33438 1 2008-05-14 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Maciej. 4 5 Bug 19024: SQUIRRELFISH: ASSERTION FAILED: activation->isActivationObject() in Machine::unwindCallFrame 6 <https://bugs.webkit.org/show_bug.cgi?id=19024> 7 8 Make sure we handled tainted global RegisterFiles properly. 9 10 * fast/js/implicit-global-to-global-reentry-expected.txt: Added. 11 * fast/js/implicit-global-to-global-reentry.html: Added. 12 1 13 2008-05-14 Oliver Hunt <oliver@apple.com> 2 14
Note: See TracChangeset
for help on using the changeset viewer.
